6 comments

[ 4.2 ms ] story [ 25.9 ms ] thread
This really illustrates a broad security issue with open source development and methodology.

Who vets contributors, maintainers and submissions?

Answer: Unknown in many (if not most) cases. Unless you have the time and expertise to do so yourself; it is purely based on trust.

> The Debian development team declined to remove the affected images, stating that they were development builds that should not be used on real systems in place of newer, clean container versions.

Classic Debian security management

>While xz is commonly present in most Linux distributions,

Not Slackware since Slackware does not patch xz or many other utilities. Plus it does not use systemd. From what I remember a patch was put in to give systemd extra functionality and someone used that patch to sneak in the backdoor.

Given this was backdoor was likely funded by a nation-state actor and very carefully obfuscated, the fact that it was discovered within a month and never rolled out to production releases, shows that the open source process mostly worked. Not saying it couldn't be better.
The behemoth that is autotools mostly helped to conceal the backdoor (and contributed to the payload)

It's an old legacy technology that needs to die out from all forms of distributions (looking at you GNU)

(comment deleted)